For the past several years, financial profit has been the overriding motive for cyber crime.
Even as computer users have become more Web savvy and avoid clicking on questionable URLs, hackers have kept a step ahead by constantly altering their tactics.
Over the past year cybercrooks have earned big bucks compromising legitimate, high-traffic sites, and then stealing sensitive data, such as credit card numbers.
In the past, by compromising and using an already-popular site — such as CBS.com – criminals have successfully deceived a large number of Web users.
Last November, for instance, CBS.com was compromised by hackers in Russia. The group added hidden code to pages on the site that automatically installed malware every visitor’s PC.
Seventy-five to 90 per cent of all infected Web pages targeting businesses and end users originate from legitimate Web pages, said Ophir Shalitin, director of marketing at Web security firm Finjan Inc. headquartered in San Jose, Calif.
Successful has this technique may have been, the likelihood of the rogue code being noticed and removed is much greater on a popular, well-established site.
So hackers are shifting gears yet again, according to Finjan.
The company’s latest Cybercrime Intelligence Report indicates that online crooks are building their own Web pages, and then using search engine optimization (SEO) techniques to drive high traffic volumes to their Web sites.
Visitors thus lured to their sites are marketed rogue software, or have malware installed on their machines.
Crafty SEO
One ploy used by cybercrooks to get high rankings in Google or Yahoo is to inject into their Web pages misspelled versions of popular search terms – such as “obbama” or “mobile fone.”
When users enter these misspelled terms into Google or Yahoo, the criminal’s compromised pages are indexed and rank among the top search results.
Cybercriminals also use Google Trends System to identify which words are popular in real-time.
“Since they make money by trading stolen data or selling rogue software, they look for new and innovative techniques all the time,” said Yuval Ben-Itzhak, chief technology officer at Finjan. “To increase the distribution of reach of their rogueware, they successfully turned to SEO.”
Doorways to hell
The report also found that to improve their search rankings, cybercriminals build “doorways”, or dynamically generated pages that are linked to other dynamic pages.
The search engine user is then redirected through a series of pages to the rogue site, which tells the user they have infected and needs to clean their computer by purchasing their software.
Use of SEO has been very effective, yielding nearly half a million Google searches to compromised sites, according to statistics found on a criminal’s server during the research.
Almost two million users were redirected to the rogueware page in just 16 consecutive days. Approximately 1.79 per cent of victims paid the full $50 for the rogueware, and 7 to 12 per cent installed the software.
Affiliate members received 9.6 cents for every successful redirection, totaling $172,000 or $10,800 per day. That’s about two million dollars per person, per year.
There aren’t a lot of solutions to stopping the SEO-based attacks, other than education, which could make their businesses less profitable and worthwhile.
But Shalitin said the search engine companies need to address the issue of malicious use of their ranking system.
Search engines could try to monitor which search terms hackers are using, which high-raking sites appear to deliberately use variants of highly searched words and identify suspect Web pages.
“I believe, over time, there will be more successful ways but it’s always an arms race in the legitimate and cybercrime world.”
And rather than engage in this arms race themselves, many businesses are opting to outsource security management entirely, according to Symantec Corp.’s 2009 Managed Security in the Enterprise Report.
The study is based on surveys of 1,000 IT managers in the U.S. and Europe conducted by the Cupertino, Calif.-based security firm.
Outsourcing the battle
Feedback from IT professionals indicates, cyber risks and actual attacks have grown significantly, and will grow even further over the next two years.
“There is a vibrant market economy for stolen information out there,” said Grant Geyer, vice president of managed services at Symantec.
He called the data losses incurred by companies “staggering.”
“Ninety-eight per cent said they’ve had tangible losses and during the period of the economic downturn, and don’t have staff to deal with it.”
Around 52 per cent of corporate cyber attacks arise from unintentional actions by employees, Geyer said.
“We see this all the time — an employee brings a computer home and inadvertently download spyware, or a misconfiguration on the mail server lets a spammer take over.”
He said there are innumerable opportunities for unintentional mistakes that let malware take control of a PC or the entire IT environment.
Forty-six per cent of IT managers polled by Symantec said threats increased in the past two years, and 48 per cent believe they will continue to worsen over the next two years.
Nearly all organizations surveyed experienced tangible loss as a result of cyber crime.
As many as 88 per cent of IT managers surveyed experienced actual attacks in the last two years, and 29 per cent said the hacker’s attempts were somewhat or highly effective.
Many firms don’t seem to have resources internally to handle these threats.
Two in five organizations reported they are somewhat or significantly understaffed, mainly because of difficulties in finding qualified applicants, layoffs, or shortage of funds in the current economic situation.
As a result, 61 per cent of U.S. enterprise-sized businesses are moving to adopt managed security services.
“Malicious code doesn’t sleep,” Geyer noted. “Hackers can work 24/7 depending on country they launch attacks from. There are very active hacking groups prolific in all parts of the world so if your job is to protect, you’re always a doorstop away from the bad guys or bad software.”
It’s clear the problem hasn’t got any better.
Melissa’s miasma
Thursday, March 26, marks the 10-year anniversary of the Melissa virus – the world’s first email virus, which spread so quickly it overloaded Inboxes worldwide.
The virus sent an email entitled Here is that document you asked for … don’t show anyone else 😉 to the first 50 email addresses on the victim’s Microsoft Outlook mailing list.
The e-mail didn’t cause irreparable damage, said Alex Shipp, senior director, emerging anti-malware technologies for MessageLabs services.
But it’s generally viewed as the first rapid, economically-destructive botnet e-mail, which set a precedent for future threats.
Since March 1999, 108 strains of the Melissa virus have been seen with more than 100,000 copies, and Symantec still blocks up to 10 copies each month.
“This was the first attack of this magnitude,” recalls Shipp. “I remember when the numbers reached the hundreds within the first hour of stopping Melissa – which were significant levels in 1999 – we knew the threat landscape had changed forever.”